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A data object, such as a document, is combined or associated with signature or 
authentication data, such as a time-stamp or signature. Both the data object and the signature 
data are encrypted. Finally, a distinct data object is generated (digested or hashed) from the 
encrypted data object and signature data, the distinct data object has characteristics determined 
by the data object and the signature data. The data object may be hashed or digested prior to 
being combined with the signature data. 
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METHOD OF AUTHENTICATING OR "DIGITALLY SIGNING'' DIGITAL 

DATA OBJECTS 



TECHNICAL FIELD OF THE INVENTION 

The present invention relates in general to providing authentication of digital data, 
such as document or other data files or objects. More particularly, the present invention 
relates to methods of securely appending or otherwise incorporating a digital signature 
or indicia of authenticity into a data object. 



BACKGROUND OF THE INVENTION AND BACKGROUND ART 

There have been several prior attempts to digitally "sign," "notarize," or otherwise 
authenticate a digital data object such as a text document. Generally speaking, one 
drawback to the storage of, for instance, digital document files, is that it can be difficult 
to establish whether the version retrieved or transmitted is the identical document 
originally stored or created. A "digital signature" or "notary" is a common nomenclature 
for an attempt to provide indicia of authenticity bf the digital data. 

One such method is found in U.S. Patent Number 5,022,080, June 4, 1991, to 
Durst et al., which discloses a method of digitally notarizing a document comprising the 
steps of hashing the document, transmitting the digest (or -result of the hash) to a trusted 
third party, where the digest is;combined with a time-stamp, and then encrypting the 
■•combination to produce a "digitally notarized" document. All that is required to 
' authenticate the document is the key to the encryption ' technique. Thus; simply iby 
"breaking the code" the Authenticity indicia or the underlying data object can be altered 
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or tampered with. •' ; ! '"'- v • -' ■ 1 • :..''.? > . ; 

•"• 5 Other solutions ebmplicateithis basic scheme, to render it more difficult to break 

the'code^uccessfuliyy For Mstanc^UtS; latent ^teim^h' s &$^ 13, 1994 
'to Haber er ifc; ^i^lly-^encrypts^ the ..sj^arore.-data to take advantage of ever- 
iiicreasifig tdmputatiotfal pdwer- and advances :.^ encryption, which also render the 
authentic ^ document -n^ofe Susceptible tovdJeration,. decryption, or tampering as time 
passes: Howfev^^ the advantage is lost. 

: A neBd ^st^merefdre^ fcrra^neihod^digitallyautl^ data object that 

is not susceptible to mture tampering, yet is sufficiently simple as to be implemented in 



a practical and efficient' manner. b 
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DISCLOSURE OF THE INVENTION < 

It is a general objectof the present inyention to provide a method of providing a 
data object that can ve vetified ^ authenticated; reUably^ with minimal rjsk of tampering. 

f h | s and ^ther^bbjects of ihepresent inyer^on.are .achieved by^ associating or 
combiiiinga data'dbjeft; such as a document,^ with signature prau^entication data, 
such as a time%amp or signature.. Bothj the daU , object and the signature data are 
; encrypted- Finally; a distf net da!3 Object is/generated r or, digested from the combination 
: of diicfypted data bbje^an& signature, datay the ^;disUnct4ata v object has characteristics 
determined by the data object and the signature^ .data, ■. •. ,.■ ,.. . f 

According to the preferred embodiment of Jh.e.present, invention, the generation 
of the distinct data object is achieved using a hashing algorithm, such as SHA-1. 

According to the preferred embodiment of the present invention, the signature or 
authentication data is provided by a trusted third party. The data object transmitted to the 
third parry may be a digest or hash of the data object to preserve the confidentiality of the 
data object. 

According to the preferred embodiment of the present invention, the encryption 
step is achieved by a symmetric encryption algorithm. 

According to the preferred embodiment of the present invention, the authenticity 
of the original data object is confirmed by reproducing the distinct data object by 
identically encrypting a data object identical to the original, generating another distinct 
data object, and comparing the second and first distinct data objects for identity. 
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BRIEF DESCRIPTION OF Hi E DRAWINGS <JOXA 

Figure 1 is a high-level flow chart depicting ^the steps of the method according to 
toe preferred emDoSunent'of the present lrtvfentioiipand more particularly the steps of 
proving a data ODjectwim^ A " : " :i '"H 

'Figure" i ' is a^o^Wiagrahv ^cfema^icaiiy depicting: a portion of the method of 

Figure 1 according to W 

Figure 3 is a high-level flow chart illustrating the stems' of the method according 
to the preferred embodiment of ffie pre^mvehtion; and ; m6re^particularly of the steps 
of authenticating a data object pYovidcd'wim''au'm ; eritic-atiGi4- data.-. • < 

Figure 14 is "a" block diagram schemaYicaiiy depicting a portion of the method of 
Figure 3 according to the preferrea embodiment of m&present invention. 



'.. "10" L>\!-H t *; .' j ' : »:;,. ■ •.•sTr.-.."' :i.- t vj v ■ • •.• ; ., .-. 

i : •.•"•! *' -•■>• ;*:•■ ; ;.. > .-, - , >■■■.■.( .... 

•••••• -~-r-.- < ■■ .. ■■ , /.— c tlx :■ . ' ,•■• '=' ,. <;,:• 

c. i .-!•; v " ' •" ! t.. 5 ••-.». < ...... • 
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MODE(S) FOR CARRYING OUT fi . 

• ! , Referring now to.the Figi^.a^^p^<^Jy ? toF^ 1, a high-level flow-chart 
depicts the basic steps of : a portion, of the according to the present invention. 

First, at block 11, a first ^^a^bje^t, or. item ^provided by a user or customer of the 
method- The data, objectior- jtemjcoujd pe a ^ document, ^drawnig, image file, or any item 
or segment. ofdata.fta^ authenticated or 

verified in theTuture.;. ,.- ri;; .,, i:m ^..^ tf , OJl i^.j. } .y: f{ , z . ( 5 , a ., rV 

At block , the^^ta object is combined pr associated with signature or 
authentication data: , The signature or authentication may include the time of creation of 
the data.object, the name of th^author. of the object, predetermined characters indicating 
the origin of the object, or virtually any other data the user desires to serve as evidence 
of authenticity of the underlying data object. According to the preferred embodiment of 
the present invention, the authentication data is a "time stamp" that comprises, for 
instance, the time and date from the "Atomic Clock" maintained by the United States 
Naval Observatory (e.g., 22:13.02; 4 April 1998). The signature or authentication data 
is appended, concatenated, or otherwise conventionally combined or associated with the 
data object. As discussed in greater detail with reference to Figure 2, the time stamp or 
other signature or authentication data is provided by a trusted third party, perhaps the 
vendor of the method, who also keeps meticulous records of the method used to combine 
or associate the data object with signature or authentication data. 

Next, at block 15, the combination of the data object and signature or 
authentication data is encrypted using conventional symmetric secret-key, asymmetric 
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publiUey' techniques or ote use a key known only to the 

trusted third party. The encryption technique could be as simple as appending or 
concatenating a selected; rMOriVtext o¥ character strihgto the data object. For maximum 
securW * is pre£^ employ secret^key techniques and 

mamUi a record o^ secret-keys, for future use 

in authentication of the'd'M ^jWdfored- encryption method or algorithm is 

RC5 ' • 10 ' Wm " f:1 vn; ^ • : '-- i -"r'--- > i oni 5i.r.vuq 0 ynun y v. 

! ' " ' Final^at blocf f^/me ^c^ted'data-bbject is^digested or hashed using a hash 
routine to generate a distinct data object. A hash routine* generates a data, string that is 
characteristic "of the' ■imaCTiyiftg^^'oblc^ftirt is subjected to. the hash routine. The 
preferred hashing algorithm is SHA-T There We several hashing routine s,or algorithms, 
such as SHA-l! that are suitable for use in the method according to the present invention. 
All of these hashing routines 1 or algorithms share the following characteristics: 

• ' the underlying data object : cannot bd?rep-oduced from, the hashed data 
" string (it is aone-Way oi 4 'irreversible proce'ss); . . i i o >. ! ; . ., 
K « the routine produces 1 a' -da&''Strfl*g f of fixed-idngthg-in^, , 
V ' : ' the routme Nvill not yield me:same' data stringfor two different data objects. 
''H'yuigKSom^es^fetred'td as a method 'of encryption, but this is inaccurate: the 
very essence of encryption is that" it can be decrypted or. the process reversed. Hashing, 
by^its 1 v^ harare; is ; hot reversible/. According to the preferred embodiment of the 
' ; ^es^nt^nVention; the^asning or-digesting step^may comprise application of a single 
' hashing algorithm of 'toWhe^tbv the encrypted :jdata<? object- and signature data. 
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•"Alternatively, the hashing, ^^^m^-J^ X ^^^,.^ ° T 
aifferent f hashing algorithms. hi :, : \^,,,.,.,- 

■ ■ • The result of the hashing step is a : 4istn>« data object that has characteristics of 
^both the 'underlying data object and;Ae,signatiire or autatieaton data. The distinct data 
•i object may be appended!?.!* data 
/t>bj^*lhcdfeH^.orjH«*f9fi^ &ta# tr^smjtted, along. with the original data 

object to a recipient party to permit the recipient party to later confirm the authenticity 
«. bf the original data objectmmMM^^ of the d^ta object and the signature or 

authentication data. ; . ..< : - , . J . I »• rsjljV:V!! v, 

Figure2,i&aiblock diagram.^epictin^ 
performing the steps.of the method according to tlmprespnt invenrion. According to the 
preferred -embodiment of the present indention, die enayprion and hashing steps are 
performs on the user's computer 1? which may be a personal computer, a cl|ent/server 
workstation, terminal for a. mainframe pr f minicomputer or the like. The signature or 

authentication data ,^s prpyided.by, a mM^fft-. 21 ' Wh ° alS ° Pr ° VldeS 
encryption :and hashing algorithms and.keeps ,a record of, the encryption or combining 
techniques arid any secre^k€ys. : %,.use .jn =^e : authentication. Alternatively, the 
encryption and hashing, algorithms are resident .on and ; maintained by user's system 19. 

According to'one embodiment of the invention,. ftf.*®!^^/***** is hashed 
'and then seritto the trusted third party 21, to preserye .the confidentiality of the original 
-•'"•da& objtectu--In.to*mbodim<mt > ^e-trus^ third ^ .party, performs the encryption and 
hashing or tfigestmgkeps and :t em*faiW^&s#pp dga object and authentication 
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data to iiser 19 to 'associate with or combine with the original data object. 
V ' : " :, "'&&i^(iti6^te< : u^ 19^and trusted third party 21 is accomplished in a 
number'of waysrm^ liiik,^ cable piodem, or http 

protocol (each wim^p^ 21 maintains records of any 

" encryption's?'^ Ashing algorithm(s) for future use by the 

party mat later peffo f ; r.'C, 

Figure 3 is ardgh-leVel "'ll^ate^itotidg^life steps.o^Uie/^ieifdcatioii portion 
ofAemet^S^toM^ffl invention. To .aumentieate the data object, an 
original' copyf block 31 ' of the data Object;' identical to jhft.first, is, combined with 
signature or aShe ! ntication data, at block ; 35: The original copy of the data object and 
signature or authenticatiori" data ; caW be provided by'the originator, or can be kept by the 
trusted third parry along with me encrypriori and/or hashing algorithms. After the copy 
of the original data object is combined with the 'authentication or signature data, the 
combinations isencrypted in' an'iderinWfashicyi to the original, at.block 35. At block 
37, ^^^g^c^t^^o^i'ii therthashedor digested identically to the first, 
and the resulting distinct data object coiripared'wi'th the original data ; object (the result of 
block 17 in Figure 1) arid me two are compared for identity 1 . If the two are identical, the 
underlying data object (or the copy) is mus Verified bratimenticated. If not identical, the 
data object or copy is not authenticated andcanhbt be trusted*(i:e:, the Copy or document 
purporting to be original has been altered and is not : identical to the first or the 



authentication data has been altered). 

Figure 4 is a block diagram "depicting "elemehfe and relationships between entities 
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performing the steps of the aumentication pprtion of the method, accordmg to the present 
invention. According to. the Referred, ^l^ept^f Ac, : pre^nt invention, the 
authentication steps are iperformed . by ;a trusted 

as the recipieht party : 25 using, infonnation provided by the. tmsted third party, the 

origiriatbr or user, or. ^cttqbirati^ input t0 3 

comparator or a compute* #go^^ The 0Ut P ut 

! Of the comparator verifi^s.:^ ^ 

> u: According to the preferred embodiment^ the present invention, the method is 
performed usmg software^ computer. 
The encryption and digesting occurson the trusted third party^s computer with the input 
and results-being .communicated to arid from the trusted third as described above. 
The recipient of the; "authentic through the 

» trusted - third party-depending upon which of the parties maintains ^the requisite 
f encryption technique, hashing ^^fe|^? m bination ^^^methpd, and any encryption keys. 
,. ; . M;n The method . according to the present invention provides an ^improved method of 
digitally signing or otherwise authenticating digital data objects Because the hashing or 
digesting step i Si one-yvp or irreversible, the encrypted portion of the "signature" is not 
susceptible; to unauthorized decryption, even by marked advances in computational 
power, Because of this advantage, the trusted third party or vendor must keep scrupulous 
records ofthe encryption or combining techniques, hashing methods and encryption keys 
employed in providing the signature or authentication data. 

.!.-;.-•. Ui;.-. ::.! j;.. ".tU.tiJtllftjft'Ji: 

....... The s ;inyention has been described with reference to preferred embodiments thereof. 
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t is thus not limited, but is susceptible to variation and modification without departing 
from the scope and spirit of the invention, which is defined by the claims, which follow. 



• '.i 4 -' ; ;:.•» r of rj)5:;!; vv..*;/ n--,r: t. .wp.\j :;n> -\ T> ^p:-*- 
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CLAIMS :- tV , -,\ ,. : : .xy : ^ . . - r . s . 

1. A method of securely associating signature data with other data, the method 
comprising the steps of: 

associating a data object with signature data; 

encrypting both the data object and the signature data; and 

generating a distinct data object from the encrypted data object and signature data, 

the distinct data object having characteristics determined by the data object and the 

signature data. 

2. The method according to claim 1 further comprising the step of: 

delivering the distinct data object and signature data to a recipient party. 

3. The method according to claim 2, further comprising the step of: 

validating the distinct data object and signature data combination by: 

associating a second data object, identical to the first, with the signature 

data; 

encrypting the second data object and the signature data using an 
encryption method identical to that employed in encrypting the first data object 
and the signature data; 

generating a second distinct data object from the encrypted second data 
object and the signature data using an method identical to that employed in 
generating the distinct data object; and 

comparing the distinct and second distinct data objects for identity. 

4. The method according to claim 1, wherein the signature data is provided by a trusted 
party. 

5. The method according to claim 1, wherein the encrypting step is performed using a 
symmetric data encryption technique. 
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6. The' method according id claim* 1, wherein the step of geiiefating the distinct data 
object is performed using a hash routine. 1 ; ' ' ' - 1 1 



7. A metHod of providing object comprising the steps of: 

1 generating a Histi^ ,r ! ' 

associating signature data with the distinct value to produce a signed data object; 
' • " ''^^ckypfin^; 'flier 'sigh^H data objeBt; arid ^ { - - l >• ^ * * <= 

generating a second distinct value from the encrypted signed datai object, the 
second distinct data objecf fiavffigffefi^ data object. 

8. The method acBofdmg' to claiin ^-'further comprising the step of: • r : ; ' *' ■ - 

delivering the second distinct data object and signature data to a recipient party. 

9. The method 5 acc^fding^tb - claim '8, further cdmprisihg the step of: 

validating the second distinct data object and signature data combination by: 

; ^ generating a third disHncfvalue/idenfical tO the f distinct value; 
1 - f ' associating 'a second ^ signature data, ideriticdl to the first, with the third 
distinct value t6 produde'a second signed data object; and ' 

;i " • ' encryption method 

identical to that employed in encrypting the first sigrieid data objfect; 

gfeneratirig a foiifth distinct value from the encrypted second signed data 
object using method identical to that employed iri generating the second distinct 
' ^Mue- and' - l ~ Tv - flUl v -'-"- ? - r ' ± ■ 

comparing the fourth distinct value and sebond distinct Value for identity. 

10. The method according to claim 7, wherein the signature data is provided by a trusted 



party. 




1 1 The method according to claim 7, wherein the encrypting step is performed using a 
symmetric data' encryption techiiique. ;: 1 
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^12^ The method according to claun JJ A wherein the step of generating the distinct value 
is performed using a hash routine. ,. .,. n .., .... j >t . ; ( .,,.,: vv . ( . 

13. ;A methojd of providing a tim^stamp for a data object comprising the steps of: 

generating a distinctyatue for^the data, object by perfqnning a hash routine on the 
,4ata ; Qbject; . , . . . t: r.. v , WAxiV y,\ ; ,. r .m;,.. j: , fi/> , 

associating a time-stamp with th^ i (distinct yaliie to produce a time-stamped data 

encrypting the time-stamped data f . . :?) J; , f| , 

generating a second distinct value from the encrypted time-stamped data object by 
performing a ha$h routine on the encrypted tjmeyst^njped^ data object. 

14. The method according to claim 13 further comprising the step of: 

delivering the second distmct data object an^ t^ party. 

15. The method, accprding to ^ of: 

validating the second distinct t data, object and time-stamp combination by : 
generating a third distinct yalup, identical t<? the,distinct value; 
: associatipg a identical, Ume r stamp with th? t^ird M d;stinct value to produce 
a second tirne-starnped data object-, ,. i : , / wr ^r * 

. .. encrypting, ,th$ .second time-stamped dat^,. object using the identical 
pncryptipp. method; , ;( V( ; *»-.'■{■}..: ij^-f 

generating a forth distinct value from the encrypted second time-stamped 
.* r ...... data pby ept; and ;j ... .r. . !>f; ,. Vj 

comparing the fourth distinct value and second distinct value for identity. 

16. The method according to claim 13, wherein the time stamp is provided by a trusted 
party. 

17. The method according to claim 13 , wherein the encrypting step is performed using 

-13- 
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a symmetric data encryption technique. 
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